SQL Injection Attacks: The Most Overlooked Hacking Method

sqlattack

In a recent report released by Imperva, Inc., the business security solutions provider revealed that SQL injection is one of the most discussed methods of hacking attacks in a large hacker forum.  It shows that close to one in every five discussions is related to SQL injection.  Imperva laments that less than 5% of the $25 billion spent on network equipment and security software in 2011 went to mitigating this type of risk, making it one of the most overlooked hacking method today.

SQL injection is considered by the Open Web Application Security Project as one of the top ten vulnerabilities found in Web applications.

This distinction is well founded too.  SQL injection is fairly easy to do so that even beginning programmers who know the SELECT syntax in SQL can execute an attack.  Paolo Passeri at Hackmageddon.com reports that SQL injection attacks comprised 21% of hacking activities in the first half of July 2012 alone.

Compounding the risks is the availability of automated tools. These automated programs, which are freeware for the most part, can insert the codes without the hacker knowing anything about SQL.

According to Web Application Security Consortium’s Web Security Glossary, SQL injection is an attack technique that puts Web sites at risk by changing backend SQL strings by manipulating application input.

Simply put, SQL injection involves a hacker inserting a MySQL statement on a Web form or application that later runs on your database without you knowing it.

Essentially, SQL injection tries to trick your database to reveal private data that should be confidential and stored only for your use.  This is possible, as a SQL Server does not discriminate in executing received queries just as long as these queries are valid.

For example, you have a form on your Web site that asks for names and passwords.  Instead of providing the credentials, a hacker would input a SQL query instead.  This will allow him or her to gain access to your database, download it, and do anything with it.

There are two common ways of carrying out an SQL injection attack.

The first is done by exploiting the lack of user input filtering on a Web application or page. This will enable a hacker to insert malicious code that ends up included in an SQL statement and thus allowing for the execution of the malicious code.

For example, if you have an e-commerce website that sells different product lines, you might be using product categories and show these product categories by using category ID.  In this instance, you may have a page on your site that has this URL:

http://www.yourstore.com/products.asp?CatID=3

For this page to be displayed, you would need to send the following query to your database:

SQL statement

A hacker could inject a code, such as UNION SELECT to get customer data.  The UNION command tells the SQL server to join two tables.  Your intention might be to display just your products in a certain product line, but your SQL would be giving out the user names and passwords of all your customers instead.

Another common form of SQL injection is used to gain access into the site.  There are two very simple ways to do this.

A login form works by matching the user name and password a user enters into the form to the ones stored in the database.

If you have an SQL injection vulnerability, a user can just enter a’ or ‘1’=’1 in the password field.  This would create a query that appends an “or true” expression at the end of an SQL query since 1 *IS* equals 1. The true expression will then cause your Web page to display other data instead of barring unauthorized logins.

If you do not care for data and just want access without having to know the password, you can use a remark character at the end of the user name.  For example, you find out that one of the users on a Web site uses admin as the user name, then you can use admin’– as your user name.  The — character is a remark character and it will call your SQL query to be truncated.  So instead of asking for a password, the query would stop at the username and allow you to gain access into the site without even knowing the password.

This article is not meant to be a tutorial on how to do simple SQL injection attacks, so if you got lost somewhere in the examples we give you, it is somehow intended.  We just wanted to show you how easy it is to carry out an attack.  But if you are still bent on trying out some SQL injection hacking, you do not need to fret.

Automated Tools

As already mentioned, there are free programs that allow just about anyone to hack into a Web site.

These tools are available to anyone as freeware.  All you have to do is enter the target Web site’s URL, tick off some boxes, and in seconds you could have a list of valuable data such as passwords and credit card numbers. You can do this on your computer using a simple interface.

And just how prevalent are attacks carried out by these automated tools? Close to 9 out of every 10 SQL injection hacking attacks in the first three months of 2012 were made with the use of two of the most popular of these tools.

If you have no idea which Web sites are vulnerable to such attacks, do not worry.  There is another set of freeware that would help you know whether a Web site is vulnerable or not.

How to Protect Your Site From SQL Injection Attacks

Unfortunately, there are no concrete steps from ISO/IEC, the current developer of SQL, to address SQL injection attacks aside from publishing a set of standards and best practices to consider when using SQL. They are selling this guide for CHF238, or roughly US $250.

If you are not willing to shell out that much money, then you should first find out for sure if you are vulnerable.  You can use the same free tools that amateur hackers are using for SQL injection to check if your site is vulnerable and find out what types of private data are being compromised.

On top of this, these guidelines might help:

  • Avoid using dynamic SQL unless it is really necessary.
  • Turn the magic_quotes_variable off
  • Be sure to update your system by installing patches as soon as they become available.  It is wrong to think that SQL injection can happen only when you have bad SQL code. You would also need to secure your server, operating system and other tools you use.
  • Trim down your database by removing all the functionality that you do not need.

Lastly, if the problem lies in your code, you might want to get some help online to resolve it.  OWASP has provided a cheat sheet on how to prevent SQL injection attacks.

Comments